[GRLUG] Wireless question
Adam Tauno Williams
awilliam at whitemice.org
Tue Dec 28 06:29:20 EST 2010
On Mon, 2010-12-27 at 23:52 -0500, Mike Williams wrote:
> It depends on what you're trying to accomplish. It's fairly easy to run
> an SSH proxy on a Linux box that has a public IP. This will work to make
> your communications sniff-proof by other users at the free wifi you're
> using. I believe your DNS requests are still unencrypted, so anyone
> sniffing could see what DNS lookups you're doing, but that's it. This
> level of encryption is not the same as truly secure communication, as
HTTPS, IMAP/SSL is "truly secure" communication. But it is "secure
*communication*", of course, you still have to trust the remote end.
And not all inter-MTA SMTP is unencrypted [which seems to be a common
belief - even among NPR's "IT security & privacy experts"; who should
all be fired]. I know the MTA (postfix) at work receives and sends
about 30% of its messages with TLS enabled. If the remote MTA supports
TLS and the cert is valid the two MTAs will encrypt the traffic. This
number is rising steadily.
> once they get to your server, wherever it is, the communication goes
> unencrypted and can theoretically be intercepted between your server and
> the email or web server you are talking to. The only way for your email
> to not be sniffed is to run encryption between your machine and the
> server. GMail allows encrypted IMAP, but not much else does.
@*($&*(@$ ??? Just about everyone supports IMAP/TLS.
> Still,
> email should not be considered secure regardless. Between email servers
> (yours and the other party's), conversations are always unencrypted.
This is false.
> On 12/27/2010 10:35 PM, Michael Mol wrote:
> > On Mon, Dec 27, 2010 at 9:45 PM, John-Thomas Richards<jtr at jrichards.org> wrote:
> >> On Sun, Dec 26, 2010 at 08:15:40PM -0500, Bob Kline wrote:
> >>> I'd see two issues. One is to keep your e-mail and other operations
> >>> private, and I'd think https was good enough.
> >> https? What about IMAP or POP3/SMTP?
> > Something I've been mulling in my head for a while. Proxies such as
> > Squid can be used for most protocols. How difficult is it to
> > SSL-encrypt the Squid proxy, and require all connections go through
> > that? That'd seem to allow even an open 802.11 network, as long as the
> > client didn't barf on the cert required to talk to the proxy.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the grlug
mailing list